{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22250", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-07T05:19:12.921Z", "datePublished": "2026-01-12T17:52:01.390Z", "dateUpdated": "2026-01-12T18:07:33.376Z"}, "containers": {"cna": {"title": "wlc can skip SSL verification", "problemTypes": [{"descriptions": [{"cweId": "CWE-295", "lang": "en", "description": "CWE-295: Improper Certificate Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-2mmv-7rrp-g8xh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-2mmv-7rrp-g8xh"}, {"name": "https://github.com/WeblateOrg/wlc/pull/1097", "tags": ["x_refsource_MISC"], "url": "https://github.com/WeblateOrg/wlc/pull/1097"}, {"name": "https://github.com/WeblateOrg/wlc/commit/a513864ec4daad00146e6d6e039559726e256fa3", "tags": ["x_refsource_MISC"], "url": "https://github.com/WeblateOrg/wlc/commit/a513864ec4daad00146e6d6e039559726e256fa3"}], "affected": [{"vendor": "WeblateOrg", "product": "wlc", "versions": [{"version": "< 1.17.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-12T17:52:01.390Z"}, "descriptions": [{"lang": "en", "value": "wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, the SSL verification would be skipped for some crafted URLs. This vulnerability is fixed in 1.17.0."}], "source": {"advisory": "GHSA-2mmv-7rrp-g8xh", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-12T18:05:29.339306Z", "id": "CVE-2026-22250", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T18:07:33.376Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22250", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-12T18:05:29.339306Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T18:06:39.190Z"}}], "cna": {"title": "wlc can skip SSL verification", "source": {"advisory": "GHSA-2mmv-7rrp-g8xh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 2.5, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "WeblateOrg", "product": "wlc", "versions": [{"status": "affected", "version": "< 1.17.0"}]}], "references": [{"url": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-2mmv-7rrp-g8xh", "name": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-2mmv-7rrp-g8xh", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WeblateOrg/wlc/pull/1097", "name": "https://github.com/WeblateOrg/wlc/pull/1097", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/WeblateOrg/wlc/commit/a513864ec4daad00146e6d6e039559726e256fa3", "name": "https://github.com/WeblateOrg/wlc/commit/a513864ec4daad00146e6d6e039559726e256fa3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, the SSL verification would be skipped for some crafted URLs. This vulnerability is fixed in 1.17.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-295", "description": "CWE-295: Improper Certificate Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-12T17:52:01.390Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22250", "state": "PUBLISHED", "dateUpdated": "2026-01-12T18:07:33.376Z", "dateReserved": "2026-01-07T05:19:12.921Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-12T17:52:01.390Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:weblate:wlc:*:*:*:*:*:*:*:*", "matchCriteriaId": "B01083E5-842F-4D93-8069-D4578C071C90", "versionEndExcluding": "1.17.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, the SSL verification would be skipped for some crafted URLs. This vulnerability is fixed in 1.17.0."}], "id": "CVE-2026-22250", "lastModified": "2026-01-27T20:37:11.263", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-12T18:15:49.307", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/WeblateOrg/wlc/commit/a513864ec4daad00146e6d6e039559726e256fa3"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/WeblateOrg/wlc/pull/1097"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-2mmv-7rrp-g8xh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T07:01:19.215741+00:00", "value": {"mitigation_remediation": ["Upgrade wlc to version 1.17.0 or later, which restores SSL verification for all URLs.", "Review and adjust any scripts or pipelines that feed crafted URLs into wlc to ensure they do not trigger the bypass.", "After upgrading, test SSL verification by attempting to connect to a server with a self\u2011signed certificate; wlc should reject the connection and report verification failure."], "summary": {"action": "Update client", "impact": "Man\u2011in\u2011the\u2011Middle"}, "threat_synthesis": {"affected_systems": "The affected product is the Weblate command\u2011line client (wlc) produced by WeblateOrg. All releases prior to version 1.17.0 are vulnerable; no specific patch versions are listed beyond 1.17.0. The issue applies to any installation of wlc that processes user\u2011supplied URLs, regardless of the target server.", "description_and_impact": "A flaw in the Weblate command\u2011line client (wlc) allows the program to skip SSL verification when accessing certain crafted URLs. This means an attacker can inject a malicious URL that the client will trust, potentially exposing data to a man\u2011in\u2011the\u2011middle attack. The vulnerability is based on a verification bypass flaw, classified as CWE\u2011295, and the developer has acknowledged that the client would mistakenly skip all SSL checks for these URLs.", "risk_and_exploitability": "The CVSS score is 2.5, indicating a low severity. The EPSS score is below 1\u202f%, reflecting a very low likelihood of exploitation, and the vulnerability is not listed as a known exploited vulnerability in CISA\u2019s KEV catalog. The vulnerability can likely be exercised by any user able to run wlc with crafted URLs, meaning the attack vector is a local or remote user with access to the client\u2019s command line. Because the flaw does not grant arbitrary code execution, the consequences are limited to enabling a man\u2011in\u2011the\u2011middle attack on the client\u2019s outgoing connections."}}}}, "created": "2026-01-13T09:27:33.568355+00:00", "updated": "2026-04-18T07:15:25.845374+00:00", "vendors": ["weblateorg", "weblateorg$PRODUCT$wlc"]}